lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Jun 2020 13:48:18 +0200 From: Peter Zijlstra <peterz@...radead.org> To: Joerg Roedel <jroedel@...e.de> Cc: Andy Lutomirski <luto@...nel.org>, Joerg Roedel <joro@...tes.org>, Dave Hansen <dave.hansen@...el.com>, Tom Lendacky <Thomas.Lendacky@....com>, Mike Stunes <mstunes@...are.com>, Dan Williams <dan.j.williams@...el.com>, Dave Hansen <dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>, Juergen Gross <JGross@...e.com>, Jiri Slaby <jslaby@...e.cz>, Kees Cook <keescook@...omium.org>, kvm list <kvm@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, Thomas Hellstrom <thellstrom@...are.com>, Linux Virtualization <virtualization@...ts.linux-foundation.org>, X86 ML <x86@...nel.org>, Sean Christopherson <sean.j.christopherson@...el.com>, Andrew Cooper <andrew.cooper3@...rix.com> Subject: Re: Should SEV-ES #VC use IST? (Re: [PATCH] Allow RDTSC and RDTSCP from userspace) On Tue, Jun 23, 2020 at 01:30:07PM +0200, Joerg Roedel wrote: > Note that this is an issue only with secure nested paging (SNP), which > is not enabled yet with this patch-set. When it gets enabled a stack > recursion check in the #VC handler is needed which panics the VM. That > also fixes the #VC-in-early-NMI problem. But you cannot do a recursion check in #VC, because the NMI can happen on the first instruction of #VC, before we can increment our counter, and then the #VC can happen on NMI because the IST stack is a goner, and we're fscked again (or on a per-cpu variable we touch in our elaborate NMI setup, etc..). There is no way I can see SNP-#VC 'work'. The best I can come up with is 'mostly', but do you like your bridges/dikes/etc.. to be mostly ok? Or do you want a guarantee they'll actually work? I'll keep repeating this, x86_64 exceptions are a trainwreck, and IST in specific is utter crap.
Powered by blists - more mailing lists